ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-303 All Questions

View all questions & answers for the AZ-303 exam
Go to Exam

Exam AZ-303 topic 2 question 47 discussion

Actual exam question from Microsoft's AZ-303
Question #: 47
Topic #: 2
[All AZ-303 Questions]

You have the following Azure Active Directory (Azure AD) tenants:
✑ Contoso.onmicrosoft.com: Linked to a Microsoft 365 tenant and syncs to an Active Directory forest named contoso.com by using password hash synchronization
✑ Contosoazure.onmicrosoft.com: Linked to an Azure subscription named Subscription1
You need to ensure that you can assign the users in contoso.com access to the resources in Subscription1.
What should you do?

  • A. Create an Azure management group that contains Subscription1.
  • B. Configure contoso.onmicrosoft.com to use pass-through authentication.
  • C. Create guest accounts for all the contoso.com users in contosoazure.onmicrosoft.com.
  • D. Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by TSMRE at June 3, 2021, 3:58 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
tp42
Highly Voted 3 years, 11 months ago
This is the 3rd time the question pops-up with different answer sets. I'm starting to hate it So far the most likely answers were - Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. - Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com. - Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.
upvoted 86 times
TSMRE
3 years, 11 months ago
I have bad news for you, I passed the exam today (6/7/2021) and this question was there but ALL those were an option in the question, but I said deploy a second server!
upvoted 2 times
ME12982
3 years, 11 months ago
that's really bad, what was your score? and how many questions you from this dump?
upvoted 1 times
TSMRE
3 years, 11 months ago
Scored 860, with I'd say 50/60 questions being from this dump and a completely different case study not available here yet
upvoted 4 times
diptanu1430
3 years, 10 months ago
How many total questions?
upvoted 1 times
...
...
...
...
HDZ78
3 years, 11 months ago
While I get your frustration @tp42, I believe the question is intended to test your knowledge of the deeper core tenets of Microsoft's overal architectural principles. Based on the following articles I would suggest that there is a 'best practice hiearchy' to these answers. Since there is no information given on this being an organization with more than 1 milion users, merging the subscription under one tenant would trump the other options, depending how it impacts Azure AD signal traffic and user login prompts. On the other hand, it does depend how the tenants are configured as using Azure AD Connect or AD FS could actually decrease the number of prompts, if those are configured for SSO. Please read the following articles: https://www.microsoft.com/security/blog/2020/04/30/zero-trust-deployment-guide-azure-active-directory/ https://docs.microsoft.com/en-us/microsoft-365/education/deploy/design-multi-tenant-architecture
upvoted 1 times
...
israelbarros
3 years, 9 months ago
me too :(
upvoted 1 times
...
wenbo
3 years, 11 months ago
Sync the same user to multiple AAD is not supported. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies Deploy a second AAD connect server should not be an option Modify current one to point it to contosoazure.onmicrosoft AAD is an option, but it means contoso.onmicrosoft AAD cannot authenticate contoso.com users, actually this is M365 AAD If here config ADFS, and stop sync to contoso.onmicrosoft AAD as well, it’s an option, although it also means M365 AAD not work for conditions.com Transfer subscription to M365 AAD must be an reasonable option. Why guest users isn’t an option? Why not B2B scenario?
upvoted 5 times
Cramster
3 years, 10 months ago
I would also like to know. B2B seems like an easy way to grant access for users in another AAD tenant
upvoted 2 times
...
jmay
3 years, 4 months ago
Syncing the same user to multiple AAD is in preview and probably going to be suppored soon: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-azure-ad-tenants
upvoted 1 times
...
...
Load full discussion...
...
Jcbrow27
Highly Voted 3 years, 11 months ago
- Associate Subscription1 to contoso.onmicrosoft.com. Reassign all the roles in Subscription1. - Deploy a second Azure AD Connect server and sync contoso.com to contosoazure.onmicrosoft.com. - Configure Active Directory Federation Services (AD FS) federation between contosoazure.onmicrosoft.com and contoso.com.
upvoted 10 times
...
Duncan
Most Recent 3 years, 3 months ago
Selected Answer: C
ADFS is just providing SSO but not the identity itself, guest account is an identity.
upvoted 4 times
Disco87
3 years, 1 month ago
Totally agree, ADFS only provides authentication and authorisation. Without an identity in the AAD for the second tenant (and the text makes no mention of a second AD Connect syncing users) then there's no way to assign permissions to resources in Subscription1. C seems to be the only option which would allow it to work in this variant of the question. Would be awful to manage if the AD has a large user population though!
upvoted 1 times
...
...
Legan
3 years, 4 months ago
I cannot be D. If you setup External Identities via SAML (ADFS) you cannot federate with a domain that is verified in ANY Azure AD tenant. Also, even if the contoso.com domain wasn't verified in Azure AD, you would still need to create guest accounts and based in the UPN suffix the ADFS federation would be triggered for federation.
upvoted 1 times
...
plmmsg
3 years, 4 months ago
Answer should be C. Create guest accounts
upvoted 1 times
...
awalao
3 years, 5 months ago
Selected Answer: C
Duplicated question. Answer is C
upvoted 4 times
...
syu31svc
3 years, 8 months ago
Answer is D https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview AD FS extends the ability to use single sign-on functionality that is available within a single security or enterprise boundary to Internet-facing applications to enable customers, partners, and suppliers a streamlined user experience while accessing the web-based applications of an organization.
upvoted 2 times
...
MinhajR
3 years, 8 months ago
On Exam 27/08/2021
upvoted 2 times
...
Ario
3 years, 8 months ago
C is the logic answer here
upvoted 1 times
...
israelbarros
3 years, 9 months ago
Could any moderators review this issue?
upvoted 1 times
...
R3dex
3 years, 9 months ago
IF D is correct, then this is the documentation: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation
upvoted 4 times
...
tita_tovenaar
3 years, 10 months ago
I think answer is B, based on ref: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn - A is out of the question - B is clearly possible - C is possible too, but cumbersome and hardly sustainable - D is irrelevant, we don't have on-prem MFA, nor external identity providers. Federation is not necessary. From the decision flowchart, B makes most sense.
upvoted 2 times
PerfumoPeru
3 years, 9 months ago
How B can be an option... please read a little more ms documentation!!! For me is D or C, D: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-single-adfs-multitenant-federation C: Its hard but possible
upvoted 1 times
...
...
bamendoza
3 years, 10 months ago
i am inclined for grant guess account access much easier approach the same goal. https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-external-users
upvoted 2 times
...
datts
3 years, 10 months ago
I think the answer is C. Easiest way to grant access to another AAD users access to resources in different tenant or subscription. There is no mention AD account is synced to AAD via AD Connect. Does not matter what authentication is used, contoso AD user need to be in contosoazure.onmicrosoft.com tenant to access resources in it, is B and C are not valid. A is not valid either as account is not there in contosoazure.onmicrosoft.com tenant.
upvoted 1 times
...
Mkbala
3 years, 10 months ago
So what is the correct answer? D is right?
upvoted 2 times
azurelearner666
3 years, 3 months ago
no, it is C
upvoted 1 times
...
...
Anu2020
3 years, 11 months ago
for the same question possible more then one answer. hence we have to read carefully before answer.
upvoted 1 times
...
TSMRE
3 years, 11 months ago
Given answer is correct :)
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago